← back
CVE-2026-35457

libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion

CVSS 8.2 HIGHEPSS 0.3%CWE-770
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.2EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
07 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected products
libp2p · rust-libp2p

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7